Hope the patch can be applied fast?
And without taking down whoever it is that uses AWS?
(I've lost track of the people who use it, not implying that no-one does)
The Xen Project has reported a new bug, XSA-169, that means “A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack.” The fix is simple – running only paravirtualised guests – but the bug is a big blunder for another reason. Xen is very widely used by big cloud …
This post has been deleted by its author
This post has been deleted by its author
The article and the XSA state: “The fix for this bug was publicly posted on xen-devel, before it was appreciated that there was a security problem.”
If you look at http://www.xenproject.org/security-policy.html, section 2b, you will see it says "If the vulnerability is not already public, security@xenproject will negotiate with discoverer regarding embargo date and disclosure schedule. See below for detailed discussion." ... In this case, an issue was posted on the list without realising it may be a security issue. Later it was discovered that the issue constitutes a security issue. The project did in fact not breach its own policy and as such the article is wrong.
This happened once in the entire time the project had the vulnerability process, which is quite a good record IMHO.